[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: group access "write" in OpenLDAP 2.1.4



On 13 Sep 2002 09:37:47 +0200
Tony Earnshaw <tonni@billy.demon.nl> wrote:

Tony,
thank you for your advice, but I have some troubles, yet.

> > I have created the following group.

> > +-dc=example,dc=com
> > +--cn=administrators,dc=example,dc=com
> > +--cn=fred blogs,dc=example,dc=com 
> 
> You haven't said whether you've made a record for Fred Bloggs, but I
> presume you have.

Yes. I have created a record for fred blogs.

And now, I have created a new record for michiko nagara.
cn=michiko nagara,dc=example,dc=com

> > dn:cn=administrators,dc=example,dc=com
> > cn: administrators of this region
> > objectclass: groupOfNames
> > objectclass: top
> > member: cn=fred blogs,dc=example,dc=com 
> > member: cn=somebody else,dc=example,dc=com
> 
> O.k.
> 
> > access to *
> >       by group="cn=administrators,dc=example,dc=com" write  
> >       by * auth
> 
> I have a group, peoplemanagers, that has *limited* rights to change
> certain attributes of members of a local group. These attributes are
> personal details, such as phone number, password etc.
> 
> This is the relevant line from my ACL, it works :-) This is on a single
> line:
> 
> by group="cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl"
> dnattr=member write

I have changed my acl to the following.

access to *
       by group="cn=administrators,dc=example,dc=com" dnattr=member write  
       by * auth

I tried to modify dn "cn=fred blogs,dc=example,dc=com",
I got a error mesage:
ldap_modify: Insufficient access (50)

And I tried to modify dn "cn=michiko nagara,dc=example,dc=com",
I got the same error message.

> Well, it works for me (with 2.1.4 /Berkeley 4.0.14). So, have you
> indexed objectclass in slapd.conf (eq,pres), and have you run slapindex
> (don't forget that the indices in the DB directory have to be able to be
> read by the slapd user).

I  have indexed objectclass in slapd.conf:

index  objectClass  pres,eq

and run slapindex.

Then, I tried to search filter "(objectclass=*)", but I got
no entries.

--
In my previous mail.

When I used OpenLDAP 2.1.3 with same acl as the above-mentioned, 
I could get all entries.
Also, I changed group.c v1.9.2.4 to v1.9.2.3 in OpenLDAP 2.1.4
and rebuilt, I could get all entries.

I have set acl as below:

access to *
       by group="cn=administrators,dc=example,dc=com"  write  
       by * auth

I could modify dn  "cn=fred blogs,dc=example,dc=com"
and dn "cn=michiko nagara,dc=example,dc=com", with OpenLDAP 2.1.3.
And I could get all entries with OpenLDAP 2.1.3.

However, I cannot get any entries with OpenLDAP 2.1.4.

Thanks.
------
Michiko NAGARA